diff options
| author |   Ross Burton <ross@burtonini.com> | 2021-12-01 10:27:43 +0000 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-12-03 23:36:21 +0000 |
| commit | ac670fd4f543f439efdea26e813a4b5121161289 (patch) | |
| tree | aefbc147f97b5f98a2e63c7d912ad0f9b02e9040 /meta/recipes-connectivity | |
| parent | ec2131070cae6c3933e5b08986e8245fcd9deb99 (diff) | |
| download | openembedded-core-contrib-ac670fd4f543f439efdea26e813a4b5121161289.tar.gz | |
openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
Backport a patch from upstream. Specifically, this fixes signature
validation in trusted-firmware-a with OpenSSL 3.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | 108 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.0.0.bb | 1 |
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch new file mode 100644 index 0000000000..b85a3ad7d2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch @@ -0,0 +1,108 @@ +Fix EVP_PKEY_CTX_get_rsa_pss_saltlen, and also disable the tests in non-default +context (required when backporting, not needed with 3.0.1). + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 6b5c02f6173e5fd46a3685e676fcb5eee9ac43ea Mon Sep 17 00:00:00 2001 +From: Tom Cosgrove <tom.cosgrove@arm.com> +Date: Thu, 25 Nov 2021 15:49:26 +0000 +Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value + +When an integer value was specified, it was not being passed back via +the orig_p2 weirdness. + +Regression test included. + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/17136) +--- + crypto/evp/ctrl_params_translate.c | 12 +++++++----- + test/evp_extra_test.c | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 88945e13e6..6638209a8d 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -1379,21 +1379,23 @@ static int fix_rsa_pss_saltlen(enum state state, + if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL) + || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) { + size_t i; ++ int val; + + for (i = 0; i < OSSL_NELEM(str_value_map); i++) { + if (strcmp(ctx->p2, str_value_map[i].ptr) == 0) + break; + } +- if (i == OSSL_NELEM(str_value_map)) { +- ctx->p1 = atoi(ctx->p2); +- } else if (state == POST_CTRL_TO_PARAMS) { ++ ++ val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2) ++ : (int)str_value_map[i].id; ++ if (state == POST_CTRL_TO_PARAMS) { + /* + * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further + * up + */ +- *(int *)ctx->orig_p2 = str_value_map[i].id; ++ *(int *)ctx->orig_p2 = val; + } else { +- ctx->p1 = (int)str_value_map[i].id; ++ ctx->p1 = val; + } + ctx->p2 = NULL; + } +diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c +index 83f8902d24..9ad37a2bce 100644 +--- a/test/evp_extra_test.c ++++ b/test/evp_extra_test.c +@@ -3049,6 +3049,35 @@ static int test_EVP_rsa_pss_with_keygen_bits(void) + return ret; + } + ++static int test_EVP_rsa_pss_set_saltlen(void) ++{ ++ int ret = 0; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *pkey_ctx = NULL; ++ EVP_MD *sha256 = NULL; ++ EVP_MD_CTX *sha256_ctx = NULL; ++ int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */ ++ const int test_value = 32; ++ ++ if (nullprov != NULL) ++ return TEST_skip("Test does not support a non-default library context"); ++ ++ ret = TEST_ptr(pkey = load_example_rsa_key()) ++ && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL)) ++ && TEST_ptr(sha256_ctx = EVP_MD_CTX_new()) ++ && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey)) ++ && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)) ++ && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value)) ++ && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen)) ++ && TEST_int_eq(saltlen, test_value); ++ ++ EVP_MD_CTX_free(sha256_ctx); ++ EVP_PKEY_free(pkey); ++ EVP_MD_free(sha256); ++ ++ return ret; ++} ++ + static int success = 1; + static void md_names(const char *name, void *vctx) + { +@@ -3966,6 +3995,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_evp_iv_des, 6); + #endif + ADD_TEST(test_EVP_rsa_pss_with_keygen_bits); ++ ADD_TEST(test_EVP_rsa_pss_set_saltlen); + #ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids)); + #endif +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb index 8852a51ca8..4b1ae71a85 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb @@ -13,6 +13,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://armv8-32bit.patch \ + file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \ " SRC_URI:append:class-nativesdk = " \ |